Exim Buffer Overflow RCE Vulnerability (CVE-2018-6789) – What You Need to Know
On February 10, the Unix-based email server Exim released an update to address a heap buffer overflow vulnerability that can be used by an unauthenticated attacker to remotely execute arbitrary code. The flaw, assigned CVE-2018-6789, is noted to exist in all versions of Exim, prior to their latest release, 4.90.1, which means the attack surface potential is very wide. A quick search on Shodan yields more than 6 million results.
Vulnerability details
The vulnerability was originally discovered by DEVCORE, and details were published on their blog on March 6. The vulnerability is due to a flaw in the b64decode buffer length in the base64d() function. Due to an off-by-one calculation mistake, heap memory can be overwritten when parsing an invalid base64 string leading to critical data being overwritten.
As base64 decoding is a widely used function, and since the byte is user-controlled, this increases the ease of exploitation, which can be utilized for remote code execution.
Identifying affected systems
To detect systems affected by this critical flaw, Tenable has released Nessus® plugins for Tenable.io Vulnerability Management, SecurityCenter and Nessus Pro. Additionally, Tenable has released passive detection via Nessus Network Monitor, which may be used with Tenable.io Vulnerability Management to detect the vulnerability passively on the network. Tenable.io Container Security has also been updated to detect the Exim off-by-one RCE vulnerability in Docker container images. The following table summarizes Tenable's coverage.
|
Plugin ID |
Description |
|
107149 |
Exim < 4.90.1 Buffer Overflow RCE Vulnerability |
|
700223 (Nessus Network Monitor) |
Exim < 4.90.1 Remote Code Execution |
|
106722 |
Debian DLA-1274-1 : exim4 security update |
|
106728 |
Debian DSA-4110-1 : exim4 - security update |
|
107007 |
Fedora 26 : exim (2018-25a7ba3cb6) |
|
107009 |
Fedora 27 : exim (2018-5aec14e125) |
|
106733 |
FreeBSD : exim -- a buffer overflow vulnerability, remote code execution (316b3c3e-0e98-11e8-8d41-97657151f8c2) |
|
106888 |
openSUSE Security Update : exim (openSUSE-2018-170) |
|
106791 |
Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : exim4 vulnerability (USN-3565-1) |
|
107178 |
GLSA-201803-01 : Exim: Multiple vulnerabilities |
What should you do?
If you’re running a version of Exim prior to 4.90.1, make sure you update to the most current release. Exim notes that all versions of Exim prior to 4.90.1 are now obsolete and that 3.x releases are also obsolete and should not be used.
Get more information
- Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management
- DEVCORE blog details
- Exim ChangeLog
- Exim CVE-2018-6789 Advisory
Related Articles
Foreshadow: Speculative Execution Attack Targets Intel SGX
August 14, 2018A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation....
Advisory: Red Hat DHCP Client Command Injection Trouble
May 17, 2018On May 15, Red Hat disclosed a critical vulnerability in a script included in NetworkManager for the Dynamic Host Configuration Protocol (DHCP) client on Red Hat Enterprise Linux (RHEL). The vulnerabi...
Advisory: Intel...Simply Misunderstood?
May 11, 2018To close numerous security gaps, Microsoft, Adobe, Apple, Red Hat, Xen, VMware and other vendors have released a number of patches in the first 10 days of May. We discussed some of these in our recent...
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Plugins